stealc | 15b2fa0131427a7fbffe42ce83f36357661772faa0381e6ab8ef21a81c6380aa

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImPackr.exe
Size

102KB
MD5

2f779ac4318fd4990c828f60d16f2b17
SHA1

a188080158f8cdfe5050d6e828fb69e17ac0be19
SHA256

689951b03517f77b6c04bb57f604f50736dc1a86b87253b0dee73722d4520a11
SHA512

7f6dc79ab6db4615bb0c7b31d36cc8750373f9b7c199bfaa8e1eff9dbd6f0b790fe7e4c9dc86b62abb811d93e946e68ddc171701bddba423079447124ca6464c
SSDEEP

1536:BdPnjwBj/h13T5KRy8DiliMz+WPSC0mJcSs93k0TmOTWAnBchQlQICRXRXYu:BdPjwRrdoirza7C0iOPchc6Np

Score

10^/10

stealc vidar 89083e6d7cd1c8c460b86fe6e70bf17b persistence privilege_escalation stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

Version

10.1

Botnet

89083e6d7cd1c8c460b86fe6e70bf17b

https://guillerme.xyz/

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral10/memory/1228-64-0x0000000000670000-0x00000000008BD000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 1 IoCs

Processes:

ImPackr.exe

pid process

1956 ImPackr.exe

Loads dropped DLL 13 IoCs

Processes:

ImPackr.exe

pid	process
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ImPackr.exe

description pid process target process

PID 1956 set thread context of 3404 1956 ImPackr.exe netsh.exe

description	pid	process	target process
PID 1956 set thread context of 3404	1956	ImPackr.exe	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SearchIndexer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SearchIndexer.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3804 timeout.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ImPackr.exeImPackr.exenetsh.exeSearchIndexer.exe

pid process

3680 ImPackr.exe
1956 ImPackr.exe
1956 ImPackr.exe
3404 netsh.exe
3404 netsh.exe
1228 SearchIndexer.exe
1228 SearchIndexer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ImPackr.exenetsh.exe

pid process

1956 ImPackr.exe
3404 netsh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SearchIndexer.exe

pid	process
3804	timeout.exe

pid	process
3680	ImPackr.exe
1956	ImPackr.exe
1956	ImPackr.exe
3404	netsh.exe
3404	netsh.exe
1228	SearchIndexer.exe
1228	SearchIndexer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ImPackr.exeImPackr.exenetsh.exeSearchIndexer.execmd.exe

description	pid	process	target process
PID 3680 wrote to memory of 1956	3680	ImPackr.exe	ImPackr.exe
PID 3680 wrote to memory of 1956	3680	ImPackr.exe	ImPackr.exe
PID 3680 wrote to memory of 1956	3680	ImPackr.exe	ImPackr.exe
PID 1956 wrote to memory of 3404	1956	ImPackr.exe	netsh.exe
PID 1956 wrote to memory of 3404	1956	ImPackr.exe	netsh.exe
PID 1956 wrote to memory of 3404	1956	ImPackr.exe	netsh.exe
PID 1956 wrote to memory of 3404	1956	ImPackr.exe	netsh.exe
PID 3404 wrote to memory of 1228	3404	netsh.exe	SearchIndexer.exe
PID 3404 wrote to memory of 1228	3404	netsh.exe	SearchIndexer.exe
PID 3404 wrote to memory of 1228	3404	netsh.exe	SearchIndexer.exe
PID 3404 wrote to memory of 1228	3404	netsh.exe	SearchIndexer.exe
PID 3404 wrote to memory of 1228	3404	netsh.exe	SearchIndexer.exe
PID 1228 wrote to memory of 5056	1228	SearchIndexer.exe	cmd.exe
PID 1228 wrote to memory of 5056	1228	SearchIndexer.exe	cmd.exe
PID 1228 wrote to memory of 5056	1228	SearchIndexer.exe	cmd.exe
PID 5056 wrote to memory of 3804	5056	cmd.exe	timeout.exe
PID 5056 wrote to memory of 3804	5056	cmd.exe	timeout.exe
PID 5056 wrote to memory of 3804	5056	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\ImPackr.exe
"C:\Users\Admin\AppData\Local\Temp\ImPackr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Roaming\EdHelp\ImPackr.exe
C:\Users\Admin\AppData\Roaming\EdHelp\ImPackr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
3⤵
- Event Triggered Execution: Netsh Helper DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\SysWOW64\SearchIndexer.exe" & rd /s /q "C:\ProgramData\JEGDGIIJJECF" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
6⤵
- Delays execution with timeout.exe
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac7e0f1b

Filesize
929KB

MD5
7e264989a3e0079a4f135121f41397a4

SHA1
ad2d15f125dff24eb8172a417f9ebbf927f456de

SHA256
c168d39e2301a4064d37bdad897f29871ba3539a86df254c476ae7df2853365f

SHA512
8657d35ddc5b86e1a834efb1c2b33d89aeb12ec2c64c95be6004f4b3e1d0ea4eba18b859cb2acaa79292acc6f21a691becd5a3525a2b969b4c5a06087503ed81

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\IMHttpComm.dll

Filesize
32KB

MD5
a70d91a9fd7b65baa0355ee559098bd8

SHA1
546127579c06ae0ae4f63f216da422065a859e2f

SHA256
96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a

SHA512
f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\ImLookExU.dll

Filesize
262KB

MD5
c3d6a629966b2de0ac954c0c75847f59

SHA1
8109256492cb3a2a38a6587b7e1145c58e078769

SHA256
0e469f31a8399483862231a0fe5b78bf90a7df4ac5c0470ae79adc33e4a42d10

SHA512
c80f718baa86aa05a566b8b5f8087a9f32703ef8f00ded809e0a2d74e94604b4b524989d953e26b9752e02fe2601ebe6527ef03384f6368ff6e5dca289a857e0

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\ImLookU.dll

Filesize
606KB

MD5
3ea6d805a18715f7368363dea3cd3f4c

SHA1
30ffafc1dd447172fa91404f07038d759c412464

SHA256
a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d

SHA512
a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\ImNtUtilU.dll

Filesize
94KB

MD5
bb326fe795e2c1c19cd79f320e169fd3

SHA1
1c1f2b8d98f01870455712e6eba26d77753adcac

SHA256
a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7

SHA512
a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\ImPackr.exe

Filesize
102KB

MD5
2f779ac4318fd4990c828f60d16f2b17

SHA1
a188080158f8cdfe5050d6e828fb69e17ac0be19

SHA256
689951b03517f77b6c04bb57f604f50736dc1a86b87253b0dee73722d4520a11

SHA512
7f6dc79ab6db4615bb0c7b31d36cc8750373f9b7c199bfaa8e1eff9dbd6f0b790fe7e4c9dc86b62abb811d93e946e68ddc171701bddba423079447124ca6464c

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\ImUtilsU.dll

Filesize
1.4MB

MD5
a7eaba8bc12b2b7ec2a41a4d9e45008a

SHA1
6a96a18bb4f1cd6196517713ed634f37f6b0362b

SHA256
914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a

SHA512
0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\ImWrappU.dll

Filesize
158KB

MD5
cbf4827a5920a5f02c50f78ed46d0319

SHA1
b035770e9d9283c61f8f8bbc041e3add0197de7b

SHA256
7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce

SHA512
d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\SftTree_IX86_U_60.DLL

Filesize
570KB

MD5
57bf106e5ec51b703b83b69a402dc39f

SHA1
bd4cfab7c50318607326504cc877c0bc84ef56ef

SHA256
24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671

SHA512
8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\chamiso.sql

Filesize
36KB

MD5
6bcc249ad4d750689bf56ca9467b4d06

SHA1
ac6af58e8b556f5c9b35c787b204172a949ee9f3

SHA256
205643214e81608a874ea9ce959437cbeae2ca1f92221a113a2aaa2e3802e277

SHA512
5e6bfb766c80e4a6929c0eadec50874c224b335ff2f7d6ced2e24df62a1fe6e3d523389e2429ccec7f9f90174960185529adcae2af330b3076875577855644ea

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\mfc80u.dll

Filesize
1.0MB

MD5
ccc2e312486ae6b80970211da472268b

SHA1
025b52ff11627760f7006510e9a521b554230fee

SHA256
18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a

SHA512
d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\torpor.zip

Filesize
683KB

MD5
9dfcb15cd9862cb14ac2f9e8d02fa01c

SHA1
3c36b604a8fc07b1a2fd66af80b12b7d27de9c81

SHA256
50872668c0884f57196445492613bb9c3989908072ff765566b43f78464f50fe

SHA512
e819c32d2a6d54e37035d62226dc0d1bb779183f3aeb2566d90b15f792a47b07456aa0c0ad18841d3ccb39a54ea6e7f4c5ea82f8fe0be32b9e5c318e02f086fa

Download Submit
C:\Users\Admin\AppData\Roaming\EdHelp\wlessfp1.dll

Filesize
70KB

MD5
5120c44f241a12a3d5a3e87856477c13

SHA1
cd8a6ef728c48e17d570c8dc582ec49e17104f6d

SHA256
fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c

SHA512
67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

Download Submit
memory/1228-63-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

Filesize
2.0MB

Download
memory/1228-64-0x0000000000670000-0x00000000008BD000-memory.dmp

Filesize
2.3MB

Download
memory/1956-53-0x0000000076D70000-0x00000000771AC000-memory.dmp

Filesize
4.2MB

Download
memory/1956-50-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

Filesize
2.0MB

Download
memory/1956-51-0x0000000076D82000-0x0000000076D84000-memory.dmp

Filesize
8KB

Download
memory/1956-52-0x0000000076D70000-0x00000000771AC000-memory.dmp

Filesize
4.2MB

Download
memory/1956-49-0x0000000076D70000-0x00000000771AC000-memory.dmp

Filesize
4.2MB

Download
memory/3404-56-0x0000000076D71000-0x0000000076D7F000-memory.dmp

Filesize
56KB

Download
memory/3404-57-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

Filesize
2.0MB

Download
memory/3404-58-0x0000000076D7E000-0x0000000076D80000-memory.dmp

Filesize
8KB

Download
memory/3404-59-0x0000000076D71000-0x0000000076D7F000-memory.dmp

Filesize
56KB

Download
memory/3404-62-0x0000000076D71000-0x0000000076D7F000-memory.dmp

Filesize
56KB

Download
memory/3680-0-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/3680-2-0x0000000076D70000-0x00000000771AC000-memory.dmp

Filesize
4.2MB

Download
memory/3680-3-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

Filesize
2.0MB

Download